Hello @mcrawshaw,
Welcome to the Community! If the identity provider is an OIDC provider (e.g., Google), you should get email_verified
in the security token from the provider. If it is a SAML provider, you have a couple options:
- Have the provider add an
email_verified
claim to the SAML assertion, - Map some other value to
email_verified
.
We went with the second option. From what I can tell, because email_verified
is a boolean, you can map any truthy value to it. For example, we are mapping the nameidentifier
field to email_verified
:
{
"user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"email_verified": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
}
We know our 3rd party provider will always provide a valid nameidentifier
, which in this case happens to be the user’s email address, so by mapping that string to email_verified
, we get email_verified
set to true
at account creation time. I am submitting feedback to Auth0 to allow us to edit email_verified
for Enterprise users.